On Do, 2014-02-13 at 10:31 -0800, Brian Smith wrote: > > I say go ahead, this is after all about observations. > > > > FWIW, I have a list of CAs here that send some weird replies and I can > > show their OCSPs have lapses from time to time... > > If you share some more information about this, either on this list or > privately, I will bring it up next week at the CA/Browser Forum > meeting. I am very interested in this particular problem and data & > measurements would be extremely helpful.
The CA has fixed the issue in the meantime, after I had reported it to them, and I confirmed its fixed. Because of a bug their software wasn't able to provide the real status for the certificate, instead it had sent out an error response (status unauthorized). On my side, because I had configured Firefox to strictly require good OCSP responses, I was presented a "certificate revoked" error message. Although the CA's OCSP responder didn't send the right status, at least it used the safe default, which I appreciate. Indepdently of this specific CA, this event could be seen as a general reminder that OCSP responders can have bugs, or return incorrect status for other reasons. I got a false negative, which is safe. But I'm worried software bugs in OCSP responders could also result in false positives. I think CAs should ideally monitor their own servers for bugs, but maybe we cannot rely on that? Maybe it motivates CAs if they we're watching them? How about regularly probing OCSP responders of the global CAs for correctness? It could fetch CRLs, and each day select a random set of certificates, both revoked and unrevoked, and query the OCSP responders for the expected results. Is this something the Observatory would be motivated to implement? Regards Kai
